Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Rethinking IT Security Architecture: Experts Question Wisdom Of Current 'Layered' Cyberdefense Strategies
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
CaryBarker
CaryBarker,
 User Rank: Apprentice
12/27/2012 | 8:33:07 PM
re: Rethinking IT Security Architecture: Experts Question Wisdom Of Current 'Layered' Cyberdefense Strategies


The article title and the article itself don't seem to
match.-á The quote from Steve Pao about
M&M security no longer being valid has been well known by the Information
Assurance community for over a decade.-á
The M&M quote also conflicts with the article title; is layered
security old hat or isn't it?
While the article touches on everything from Risk
Assessments to cloud security, it misses one critical component most of these
articles miss - the human element.-á All
of the security in the world isn't going to matter if people can be tricked
into giving out their password or executing the code at the other end of the
HTTP link.

stu8king
stu8king,
 User Rank: Apprentice
1/2/2013 | 3:01:50 PM
re: Rethinking IT Security Architecture: Experts Question Wisdom Of Current 'Layered' Cyberdefense Strategies
The article is good in that it points out the truism that security strategies are, to a large degree, flawed and need a new approach, but then falls back on the old cliches of "do a risk assessment", "think holistically." The point is that new ways of thinking are needed - risk assessments are and have always been a flawed approach because of the natural bias inherent whenever people try to figure out what's important. You have to start from the perspective of protecting revenue. It's all about money. The greatest risk is where the most money or losses can occur. Face it - you don't need a risk assessment to figure out the assets that are most important to your business - you need some degree of common sense and the ability to communicate a decent plan. Finally - if you think technology is the solution then you do not understand the problem.-á
moarsauce123
moarsauce123,
 User Rank: Ninja
1/2/2013 | 6:44:42 PM
re: Rethinking IT Security Architecture: Experts Question Wisdom Of Current 'Layered' Cyberdefense Strategies
@stu8king:twitter-áYou are thinking of classic "posture" or "point-in-time" based risk assessments. I think what's being suggested instead here is just that holistic approach you see as flawed, but more "on-going" in nature: a security improvement program with a security improvement process.

What I took as the point of this article is that technology-focused security products/services, even when they fit into a solution or reference architecture, are oversold, underutilized, and ineffective.

Instead, leaders need to lead and their security professionals need to hack their way secure -- but they MUST coordinate these efforts TOGETHER focused on their SPECIFIC needs in order to even HOPE for any small successes.
moarsauce123
moarsauce123,
 User Rank: Ninja
1/2/2013 | 7:08:56 PM
re: Rethinking IT Security Architecture: Experts Question Wisdom Of Current 'Layered' Cyberdefense Strategies
@ubm_techweb_disqus_sso_-81bca6e80f13f2acea45f6242555c4e2:disqus-áLayered security is the practice of buying a [usually best-of-class] set of security solutions (which encompass products/services from multiple vendors that are intended to work well together to provide that classic "Defense-in-Depth -- aka DiD").
The NSA IATF, who created DiD, included operational practices/procedures and personnel (individual capital, aka "talented people"). Unfortunately, security product/service vendors did not include this. They assumed this would be left up to their customers, the companies and organizations who hire their own people for Information Security Management and Risk Management (such as CISOs or CSOs). Modern CISO/CSOs aren't even aware of the frameworks (e.g. ISO 27k), let alone the easy-do-it-in-a-day frameworks (e.g. Visible Ops Security) -- and they don't use them. They use COBIT, if anything. Most are just compliance-nerds, placating to PCI DSS or GLBA/HIPAA.

What basically resulted was companies hiring [often multiple] highly-paid CISO/CSOs with huge bonuses and incentives to stockpile security product technology without any staff to operate or optimize the products. This is why many security appliances, firewall, and web-application firewall technology is often referred to as "door-stops".

The demand for security-producing solutions has overpopulated the information security industry with less-than-talented individuals because the industry has over-focused on vendor-specific-solutions instead of holistic (e.g. "Reverse Deception") problem-solving activities.

We are in the "triage" state of information security management and risk management. If you went to the hospital, and the triage nurses and doctors told you to go home bleeding and dying because they don't know how to diagnose (let alone treat) your disorder -- wouldn't that be a lawsuit waiting to happen? Instead, staff that perform triage at the hospital need to be aware of all of the potential outcomes and pass that information to the specialized ER team. In the information security world -- these are our needed "security architects" and their patient is the business, not some IT manager focused on vendor solutions.

When it comes time to add specialists, security architects can add them as Incident Response (IR) personnel tied to the type of breaches that are occurring. Add IR staff at a rate that is quantitatively tied to the rate of breaches. If you do this correctly, you'll have a baseline level of staff necessary to tackle information security management and risk management programs for your organization.
Don Gray
Don Gray,
 User Rank: Apprentice
1/4/2013 | 3:43:13 PM
re: Rethinking IT Security Architecture: Experts Question Wisdom Of Current 'Layered' Cyberdefense Strategies
I was following the premise of the article for the most part. -á

And agree that having the right personnel with the right skills is if not the hardest part of the problem to solve, one of the hardest. -áOften times we see organizations fail to make use of security capabilities inherent in the infrastructure they already have because as mentioned, they don't have a risk based approach to securing the enterprise and they don't have the depth of expertise -árequired.

But then you mentioned this:

"There's a shakeup that's going to occur in enterprises because there have been so many breaches," Prisco says. "There was a day when we could say, 'Nobody ever got fired for buying IBM,' but, at this point, there are no safe choices in technology ... If management finds out that a breach occurred -- and there was technology that could have stopped it and you didn't buy it -- then it doesn't matter how safe your choices were."

Which to me seems to invalidate the entire point of the article!

You can't have it both ways. -áEither you do a risk assessment and make risk based decisions or you "buy stuff" and hope it works. -á

True risk based decision making forces the issue of justifying and weighing the costs of a solution versus the costs of a breach and incorporating the organizations risk tolerance. -áThat means sometimes you don't spend money on a piece of technology.

But traditional risk based approaches don't account for things like black swans and I would argue are often based on flawed models of the risks they are trying to address. -áIn many risk based approaches I have seen there is a lack of discernment between what is-ávaluable-áand what is not. -áAnd there is a misunderstanding of what is likely and what is not. -áThis inevitably leads to the highest value assets being under protected and the lowest value assets being over protected.

In my opinion that needs to be improved before we can avoid the scenario you outlined where the decision making comes down to "better safe than sorry" buying decisions.
psmith531
psmith531,
 User Rank: Apprentice
1/8/2013 | 4:45:43 PM
re: Rethinking IT Security Architecture: Experts Question Wisdom Of Current 'Layered' Cyberdefense Strategies
The title of the article is pointless. Basically the article says that the problem is not the layered defense, but the implementation of it. People don't have any idea of how their networks and applications work and basically just throw products at it in the hope that something will catch a problem. If you understand how applications and networks work, then you can build layered defenses against these problems that will stop it. All applications, whether they are good or bad will behave in a certain way. When they don't, then something is wrong and you should be able to see that.

The problem is not the layered approach. The problem is the lack of understanding how to build the layered approach and the proper processes and procedures around it.
MROBINSON000
MROBINSON000,
 User Rank: Apprentice
1/14/2013 | 8:39:47 AM
re: Rethinking IT Security Architecture: Experts Question Wisdom Of Current 'Layered' Cyberdefense Strategies
Really insightful article! There
isnGÇÖt a security threat that you can think of that some security companyGÇÖs
marketing literature doesnGÇÖt promise a solution for. But despite the zeal of
marketers and the production of many great security solutions, there are still
many threats to enterprise IT that simply cannot be offset, mitigated or
prevented by a single technology solution. Because this topic is so important
to the industry, here are a series of blogs that cover four genres of tools and
technologies. The blogs discusses pros & cons; and, most importantly, what
each genre can and cannot protect against: http://blog.securityinnovation...
Here are the 4 genres: Development tools; Test tools; IT/Network defenses; Standards,
Policies, and Maturity Models. Hope you and your readers find it useful! Keep
up the good work! -á
MichaelSB
MichaelSB,
 User Rank: Apprentice
1/17/2013 | 6:19:55 PM
re: Rethinking IT Security Architecture: Experts Question Wisdom Of Current 'Layered' Cyberdefense Strategies
very insightful article, although I disagree with your assumption that a layered defense is not working.-á Your title should have said a misconfigured layered defense is not working.-á Defense in depth is a proven strategy if properly implemeted.-á I do agree with some of your points, especially with new and emerging threats.-á Vigiliance is the key here.-á You can't configure your security solution then sit back.-á As the threats evolve so must your solution.
SgS125
SgS125,
 User Rank: Ninja
1/17/2013 | 7:27:19 PM
re: Rethinking IT Security Architecture: Experts Question Wisdom Of Current 'Layered' Cyberdefense Strategies
I think they are correct, the layered approach is just the same template over and over.-á The only real tool that seems to work is direct analysis of the traffic, and connections.-á I would still keep all the "hard crunchy outside" stuff, but I would much rather see what is being accepted past my defenses rather than what is stopped.-á Especially what is leaving the network and where it is going.-á They are right we have to have the talent and the desire to work on the issue.-á Most places I have been do not take security seriously once they think the firewalls make them safe.

You are right, once the system is built it is time to keep it up to date....daily.
_stephan_
_stephan_,
 User Rank: Apprentice
2/2/2013 | 2:37:49 AM
re: Rethinking IT Security Architecture: Experts Question Wisdom Of Current 'Layered' Cyberdefense Strategies
A blog post I wrote that is along the same lines - I definitely agree with most of what was said above --áhttp://blog.ioactive.com/2013/...
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file